rpm/python
SHA256
1
0
Fork 0
forked from pool/python
Code Pull Requests Activity
408 Commits 2 Branches 0 Tags
Commit Graph

408 Commits

This Branch
This Branch
All Branches
Author SHA256 Message Date
Matej Cepl
3edb04a7cd Accepting request 962755 from home:msmeissn:branches:devel:languages:python:Factory 
- python-2.7.9-sles-disable-verification-by-default.patch: remove
  as it by default now always does strict enforcement anyway and it
  is 2022.

OBS-URL: https://build.opensuse.org/request/show/962755
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=322
 2022-03-18 17:01:12 +00:00
Dominique Leuenberger
5f69396b1f Accepting request 958406 from devel:languages:python:Factory 
- Recover again proper value of %python2_package_prefix
  (bsc#1175619).

OBS-URL: https://build.opensuse.org/request/show/958406
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=168
 2022-03-03 23:16:53 +00:00
Matej Cepl
2dad11ae4d - Recover again proper value of %python2_package_prefix 
(bsc#1175619).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=320
 2022-03-02 00:59:44 +00:00
Dominique Leuenberger
85f461bd4a Accepting request 957826 from devel:languages:python:Factory 
WOW! I really messed up that changelog. Sorry.

- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).

OBS-URL: https://build.opensuse.org/request/show/957826
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=167
 2022-02-27 21:42:50 +00:00
Matej Cepl
f6d8c1bb6a Fix changelogs 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=319
 2022-02-26 20:11:49 +00:00
Matej Cepl
dc8a4b385b - Update bundled pip wheel to the latest SLE version patched 
against bsc#1186819 (CVE-2021-3572).
- Run pre_checkin.sh as well (so other than python-base
  changelogs are synced as well).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=318
 2022-02-26 12:44:02 +00:00
Dominique Leuenberger
a939e74527 Accepting request 955867 from devel:languages:python:Factory 
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
- Older SLE versions should use old OpenSSL.

OBS-URL: https://build.opensuse.org/request/show/955867
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=166
 2022-02-21 16:45:49 +00:00
Matej Cepl
9442b9b6ab - BuildRequire rpm-build-python: The provider to inject python(abi) 
has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=317
 2022-02-18 11:02:04 +00:00
Matej Cepl
a2b1f34add - Older SLE versions should use old OpenSSL. 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=316
 2022-02-18 10:52:31 +00:00
Dominique Leuenberger
fdf5d1ffa0 Accepting request 953310 from devel:languages:python:Factory 
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.

OBS-URL: https://build.opensuse.org/request/show/953310
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=165
 2022-02-11 22:06:42 +00:00
Dominique Leuenberger
7dbfe15b00 Accepting request 953032 from devel:languages:python:Factory 
Keep existing SR, ready for checkin

OBS-URL: https://build.opensuse.org/request/show/953032
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=164
 2022-02-09 19:38:40 +00:00
Matej Cepl
5c19a933c4 Actually be py2k compatible 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=314
 2022-02-09 17:44:12 +00:00
Matej Cepl
510e372768 Forgot to run pre_checkin.sh 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=313
 2022-02-09 16:55:07 +00:00
Matej Cepl
e29abdcb89 - Add CVE-2022-0391-urllib_parse-newline-parsing.patch 
(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=312
 2022-02-09 16:52:05 +00:00
Matej Cepl
430843dcc5 Add What's New entry. 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=311
 2022-02-06 08:01:12 +00:00
Matej Cepl
68c3ceb48d - Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146, 
bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.

- build against openssl 1.1.x (incompatible with openssl 3.0x)
  for now.

- on sle12, python2 modules will still be called python-xxxx until EOL,
  for newer SLE versions they will be python2-xxxx

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=310
 2022-02-06 07:47:48 +00:00
Dominique Leuenberger
1e3e266516 Accepting request 936064 from devel:languages:python:Factory 
OBS-URL: https://build.opensuse.org/request/show/936064
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=163
 2021-12-08 21:08:42 +00:00
Matej Cepl
556d0713a6 Accepting request 936021 from home:dirkmueller:Factory 
- build against openssl 1.1.x (incompatible with openssl 3.0x) for now

OBS-URL: https://build.opensuse.org/request/show/936021
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=309
 2021-12-06 15:16:14 +00:00
Dominique Leuenberger
535861326a Accepting request 928845 from devel:languages:python:Factory 
OBS-URL: https://build.opensuse.org/request/show/928845
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=162
 2021-11-06 17:13:05 +00:00
Matej Cepl
b580dedff6 Accepting request 928691 from home:msmeissn:branches:devel:languages:python:Factory 
- on sle12, python2 modules will still be called python-xxxx until EOL,
  for newer SLE versions they will be python2-xxxx

OBS-URL: https://build.opensuse.org/request/show/928691
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=308
 2021-11-02 19:29:32 +00:00
Dominique Leuenberger
e81e86bf69 Accepting request 925440 from devel:languages:python:Factory 
OBS-URL: https://build.opensuse.org/request/show/925440
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=161
 2021-10-25 13:16:44 +00:00
Matej Cepl
a1e48140c5 Accepting request 925378 from home:dimstar:Factory 
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.

- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.

- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.

OBS-URL: https://build.opensuse.org/request/show/925378
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=307
 2021-10-15 13:31:18 +00:00
Dominique Leuenberger
0cca0517f9 Accepting request 924297 from devel:languages:python:Factory 
Fix changes

OBS-URL: https://build.opensuse.org/request/show/924297
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=160
 2021-10-11 13:31:02 +00:00
Matej Cepl
971ad33422 - Remove upstreamed patches: 
- CVE-2019-18348-CRLF_injection_via_host_part.patch
  - python-2.7.14-CVE-2017-1000158.patch
  - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
  - CVE-2018-1061-DOS-via-regexp-difflib.patch
  - CVE-2019-10160-netloc-port-regression.patch
  - CVE-2019-16056-email-parse-addr.patch
  - Fixes a ReDoS vulnerability in `http.cookiejar`. Patch by Ben
    Caller.
  - Fixed possible leak in `PyArg_Parse` and similar
    `PY_SSIZE_T_CLEAN` is not defined.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=306
 2021-10-08 20:45:22 +00:00
Dominique Leuenberger
a2d457cf35 Accepting request 923134 from devel:languages:python:Factory 
- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
  (CVE-2019-20907, bpo#39017) avoiding possible infinite loop
  in specifically crafted tarball.
  Add recursion.tar as a testing tarball for the patch.

OBS-URL: https://build.opensuse.org/request/show/923134
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=159
 2021-10-05 20:33:50 +00:00
Matej Cepl
97f5f8e975 - Modify Lib/ensurepip/__init__.py to contain the same version 
numbers as are in reality the ones in the bundled wheels
  (bsc#1187668).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=305
 2021-10-04 21:15:18 +00:00
Dominique Leuenberger
e11bd215de Accepting request 921455 from devel:languages:python:Factory 
Synchronization of the package with SLE version.

OBS-URL: https://build.opensuse.org/request/show/921455
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=158
 2021-09-30 21:42:52 +00:00
Matej Cepl
793c3bb790 - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 
(CVE-2019-20907, bpo#39017) avoiding possible infinite loop
  in specifically crafted tarball.
  Add recursion.tar as a testing tarball for the patch.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
  (CVE-2020-26116, bpo#39603) no longer allowing special characters in
  the method parameter of HTTPConnection.putrequest in httplib, stopping
  injection of headers. Such characters now raise ValueError. 
  - bsc#1155094 (CVE-2019-18348) Disallow control characters in
    hostnames in http.client. Such potentially malicious header
    injection URLs now cause a InvalidURL to be raised.
- bsc#1109847 (CVE-2018-14647): add
  CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
  bpo-34623.
  fixing bpo-35746 (CVE-2019-5010).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=304
 2021-09-25 21:16:13 +00:00
Dominique Leuenberger
9f95aebbf6 Accepting request 919877 from devel:languages:python:Factory 
addressing CVE-2019-18348 (bpo#38576, bsc#1155094). Such
    potentially malicious header injection URLs now cause
    InvalidURL to be raised.

OBS-URL: https://build.opensuse.org/request/show/919877
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=157
 2021-09-21 19:12:16 +00:00
Matej Cepl
7919fc45c1 Run pre_checkin.sh 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=303
 2021-09-17 19:43:07 +00:00
Matej Cepl
40fb7b0f61 Add CVE-2019-18348 to changes 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=302
 2021-09-17 19:42:42 +00:00
Matej Cepl
eab39a1bee Fix python-doc.spec 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=301
 2021-09-17 19:41:23 +00:00
Matej Cepl
af50cf637c Add CVE-2019-18348 to changes 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=300
 2021-09-17 19:38:46 +00:00
Dominique Leuenberger
6c0d6bd722 Accepting request 914454 from devel:languages:python:Factory 
OBS-URL: https://build.opensuse.org/request/show/914454
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=156
 2021-08-28 20:28:52 +00:00
Matej Cepl
de8c3896ee Accepting request 914418 from home:fusionfuture:branches:devel:languages:python:Factory 
- Renamed patch for assigned CVE:
  * bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch ->
    CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
    (boo#1189241, CVE-2021-3737)

OBS-URL: https://build.opensuse.org/request/show/914418
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=299
 2021-08-26 21:32:53 +00:00
Matej Cepl
e77cbb0e48 Accepting request 913777 from home:fusionfuture:branches:devel:languages:python:Factory 
- Renamed patch for assigned CVE:
  * bpo43075-fix-ReDoS-in-request.patch -> CVE-2021-3733-fix-ReDoS-in-request.patch
    (boo#1189287, CVE-2021-3733)
- Fix python-doc build (bpo#35293):
  * sphinx-update-removed-function.patch
- Update documentation formatting for Sphinx 3.0 (bpo#40204).

OBS-URL: https://build.opensuse.org/request/show/913777
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=298
 2021-08-26 06:56:34 +00:00
Richard Brown
65ab37fec4 Accepting request 911255 from devel:languages:python:Factory 
OBS-URL: https://build.opensuse.org/request/show/911255
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=155
 2021-08-18 06:55:20 +00:00
Matej Cepl
8a27bf7896 Accepting request 911251 from home:fusionfuture:branches:devel:languages:python:Factory 
- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
  request (bpo#43075, boo#1189287).
- Add missing security announcement to
  bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.

old: devel:languages:python:Factory/python
new: home:fusionfuture:branches:devel:languages:python:Factory/python rev None
Index: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
===================================================================
--- bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch (revision 296)
+++ bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch (revision 3)
@@ -19,3 +19,8 @@
  
          self.status = status
          self.reason = reason.strip()
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
+@@ -0,0 +1,2 @@
++mod:`http.client` now avoids infinitely reading potential HTTP headers after a
++``100 Continue`` status response from the server.
Index: python-base.changes
===================================================================
--- python-base.changes (revision 296)
+++ python-base.changes (revision 3)
@@ -1,4 +1,12 @@
 -------------------------------------------------------------------
+Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
+
+- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
+  request (bpo#43075, boo#1189287).
+- Add missing security announcement to
+  bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
+
+-------------------------------------------------------------------
 Mon Aug  9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
 
 - Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
Index: python-base.spec
===================================================================
--- python-base.spec (revision 296)
+++ python-base.spec (revision 3)
@@ -105,6 +105,8 @@
 Patch62:        CVE-2021-23336-only-amp-as-query-sep.patch
 # PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
 Patch63:        bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391
+Patch64:        bpo43075-fix-ReDoS-in-request.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -233,6 +235,7 @@
 %patch61 -p1
 %patch62 -p1
 %patch63 -p1
+%patch64 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
Index: python-doc.changes
===================================================================
--- python-doc.changes (revision 296)
+++ python-doc.changes (revision 3)
@@ -1,4 +1,12 @@
 -------------------------------------------------------------------
+Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
+
+- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
+  request (bpo#43075, boo#1189287).
+- Add missing security announcement to
+  bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
+
+-------------------------------------------------------------------
 Mon Aug  9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
 
 - Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
Index: python-doc.spec
===================================================================
--- python-doc.spec (revision 296)
+++ python-doc.spec (revision 3)
@@ -107,6 +107,8 @@
 Patch62:        CVE-2021-23336-only-amp-as-query-sep.patch
 # PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
 Patch63:        bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391
+Patch64:        bpo43075-fix-ReDoS-in-request.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@@ -177,6 +179,7 @@
 %patch61 -p1
 %patch62 -p1
 %patch63 -p1
+%patch64 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
Index: python.changes
===================================================================
--- python.changes (revision 296)
+++ python.changes (revision 3)
@@ -1,4 +1,12 @@
 -------------------------------------------------------------------
+Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
+
+- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
+  request (bpo#43075, boo#1189287).
+- Add missing security announcement to
+  bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
+
+-------------------------------------------------------------------
 Mon Aug  9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
 
 - Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
Index: python.spec
===================================================================
--- python.spec (revision 296)
+++ python.spec (revision 3)
@@ -107,6 +107,8 @@
 Patch62:        CVE-2021-23336-only-amp-as-query-sep.patch
 # PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
 Patch63:        bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391
+Patch64:        bpo43075-fix-ReDoS-in-request.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -291,6 +293,7 @@
 %patch61 -p1
 %patch62 -p1
 %patch63 -p1
+%patch64 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
Index: bpo43075-fix-ReDoS-in-request.patch
===================================================================
--- bpo43075-fix-ReDoS-in-request.patch (added)
+++ bpo43075-fix-ReDoS-in-request.patch (revision 3)
@@ -0,0 +1,15 @@
+--- a/Lib/urllib2.py
++++ b/Lib/urllib2.py
+@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:
+ 
+     # allow for double- and single-quoted realm values
+     # (single quotes are a violation of the RFC, but appear in the wild)
+-    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
++    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
+                     'realm=(["\']?)([^"\']*)\\2', re.I)
+ 
+     # XXX could pre-emptively send auth info already accepted (RFC 2617,
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
+@@ -0,0 +1 @@
++Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`.  The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

OBS-URL: https://build.opensuse.org/request/show/911251
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=297
 2021-08-10 12:55:29 +00:00
Matej Cepl
3cfc9f2646 Accepting request 911127 from home:fusionfuture:branches:devel:languages:python:Factory 
- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
  which fixes http client infinite line reading (DoS) after a http 
  100 (bpo#44022, boo#1189241).

OBS-URL: https://build.opensuse.org/request/show/911127
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=296
 2021-08-10 04:45:07 +00:00
Richard Brown
9e4124b4d3 Accepting request 875546 from devel:languages:python:Factory 
- Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids
  use of semicolon as a query string separator (bpo#42967,
  bsc#1182379, CVE-2021-23336).
- Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids
  use of semicolon as a query string separator (bpo#42967,
  bsc#1182379, CVE-2021-23336).
- Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids
  use of semicolon as a query string separator (bpo#42967,
  bsc#1182379, CVE-2021-23336).

OBS-URL: https://build.opensuse.org/request/show/875546
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=154
 2021-03-05 12:44:35 +00:00
Matej Cepl
767f0ce31a - Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids 
use of semicolon as a query string separator (bpo#42967,
  bsc#1182379, CVE-2021-23336).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=294
 2021-02-26 22:02:43 +00:00
Dominique Leuenberger
b0e89b7316 Accepting request 868217 from devel:languages:python:Factory 
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.

OBS-URL: https://build.opensuse.org/request/show/868217
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=153
 2021-02-04 19:22:06 +00:00
Matej Cepl
c021ec3bc1 - Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing 
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=292
 2021-01-31 18:01:03 +00:00
Dominique Leuenberger
ecd632c681 Accepting request 860672 from devel:languages:python:Factory 
- (bsc#1180125) We really don't Require python-rpm-macros package.
  Unnecessary dependency.

OBS-URL: https://build.opensuse.org/request/show/860672
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=152
 2021-01-10 18:38:46 +00:00
Matej Cepl
a349f4646b - (bsc#1180125) We really don't Require python-rpm-macros package. 
Unnecessary dependency.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=290
 2021-01-05 09:19:30 +00:00
Dominique Leuenberger
d6c2099cb2 Accepting request 810400 from devel:languages:python:Factory 
- Add patch configure_PYTHON_FOR_REGEN.patch which makes
  configure.ac to consider the correct version of
  PYTHON_FO_REGEN (bsc#1078326).

OBS-URL: https://build.opensuse.org/request/show/810400
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=151
 2020-06-11 12:37:31 +00:00
Matej Cepl
05961d060d Fix changes 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=288
 2020-05-30 20:15:37 +00:00
Matej Cepl
d9c94c7ce3 Fix changes 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=287
 2020-05-30 13:40:50 +00:00
Matej Cepl
d565063e61 Fix changes 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=286
 2020-05-30 13:39:55 +00:00
Matej Cepl
99cc3eb1fe Fix changes 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=285
 2020-05-30 12:27:03 +00:00